On 08/18/2010 02:42 PM, Ulrich David wrote: > Hi, > > I'm using Bind as a cache (absolutely not authoritative) DNS for a public > network. I have put a firewall in order to refuse incoming packets from > people not on my network. > > Today, inspecting logs, I see this : > > Aug 18 17:31:44 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26 > DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=50785 CE PROTO=UDP > SPT=56592 DPT=53 LEN=49 > Aug 18 17:31:48 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26 > DST=MY.CACHE.DNS LEN=59 TOS=00 PREC=0x00 TTL=120 ID=23374 PROTO=UDP SPT=57527 > DPT=53 LEN=39 > Aug 18 17:31:51 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=207.38.104.93 > DST=MY.CACHE.DNS LEN=47 TOS=00 PREC=0x00 TTL=48 ID=48457 CE PROTO=UDP > SPT=32779 DPT=53 LEN=27 > Aug 18 17:31:56 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26 > DST=MY.CACHE.DNS LEN=72 TOS=00 PREC=0x00 TTL=120 ID=38433 CE PROTO=UDP > SPT=53494 DPT=53 LEN=52 > Aug 18 17:32:00 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=109.164.132.64 > DST=MY.CACHE.DNS LEN=60 TOS=00 PREC=0x00 TTL=112 ID=24658 PROTO=UDP SPT=51908 > DPT=53 LEN=40 > Aug 18 17:32:04 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=195.176.219.26 > DST=MY.CACHE.DNS LEN=69 TOS=00 PREC=0x00 TTL=120 ID=40178 CE PROTO=UDP > SPT=48147 DPT=53 LEN=49 > Aug 18 17:32:08 cns1 [IPT DROP] : IN=eth0 OUT= MAC=00 SRC=213.3.5.3 > DST=MY.CACHE.DNS LEN=68 TOS=00 PREC=0x00 TTL=53 ID=15544 PROTO=UDP SPT=18967 > DPT=53 LEN=48 > > This traffic came from other DNS server in the world. As it's UDP I think of > UDP queries going from my cache server to other DNS server, and I catch their > UDP responses in the firewall. Is it possible? > > So I should open my firewall for UDP on port 53 for all the world? > > Regards, > > David
David, First, double-check that you're on a current BIND release. Second, check that your named.conf doesn't have "query-source" bound to port 53. It's bad to always source your queries from port 53, as it allows your cache to get bogus spoofed replies from systems you aren't asking queries of. Provided that you are running a recent version of BIND, and that you are configuring your named.conf to query from port 53, your DNS server should be sending out UDP queries from random, high-numbered ephemeral ports. See the Wikipedia article on this, which discusses Linux port defaults vs. IANA recommended port range, etc. (as I'm typing this while offline). Your server should be sourcing from those random, high-numbered ephemeral ports to remote DNS servers' udp/53. Their queries should come back from their same udp/53 source to your same original high-numbered ephemeral port. As you should be sending UDP queries from high-numbered ports, and your queries are never going to originate from udp/53, so you should never get replies destined for your udp/53. You should absolutely not open your firewall to queries from UDP/53 as it is not authoritative and is not an open dns resolving server for the Internet (or if it was, you shouldn't be asking questions on here how to secure it). I would configure your firewall to -j DROP and not first -j LOG these packets. No need filling up your syslog with bogus queries. My guess is that there are some poorly configured remote firewalls. Jason Roysdon http://jason.roysdon.net/ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
